Skip to main content
Matrix42 Self-Service Help Center

LDAP Syntax and Filter

  1. Last updated
  2. Save as PDF

Feature

Silverback MDM has the ability to autopopulate tags based on LDAP filters. These filters can be very simple or complex. You can search one specific group, multiple groups, exclude groups from your results, or even search nested groups.

To search a single group, you need to specify what you are searching for and in what group:
(memberOf=CN=Example1,OU=Distribution Groups,OU=Example,DC=Example,DC=com)

You can also use logical operators to perform more complex searches. There are 3 logical operators which can be used in LDAP

& - AND – ((This) AND (this))
| - OR – ((This) OR (This))
! – NOT – (Everything that is NOT This)

If we continue on from the last example, the following filters will return different results:

AND Operator

(&(memberOf=CN=Example1, OU=Distribution Groups,OU=Example,DC=Example,DC=com)(memberOf=CN=Example2,OU=Distribution Groups,OU=Example,DC=Example,DC=com))

This filter will return only those members which exist in both Example1 and Example2 group

OR Operator

(|(memberOf=CN=Example1, OU=Distribution Group,OU=Example,DC=Example,DC=com)(memberOf=CN=Example2,OU=Distribution Groups,OU=Example,DC=Example,DC=com))

This filter will return all members in both groups

NOT Operator

(!(memberOf=CN=Example1, OU=Distribution Groups,OU=Example,DC=Example,DC=com))

This filter will exclude the group Example1. Therefore the search will return members of Example2

More Information

Silverback also allows you to filter an ObjectType=user. This will limit the search for objects that exist in LDAP that are Physical User Logins

(&(objectClass=user)(memberOf=CN=Example1,OU=Distribution Groups,OU=Example,DC=example,DC=com))

If your organization has nested security groups within OUs, performing the searches from the above examples will not identify any of the members within the nested security groups. To achieve this, an additional search parameter (OID) must be included to tell the search filter to “follow the chain of ancestry objects all the way to the root and find a match”.

The specific OID required is 1.2.840.113556.1.4.1941

If you had a security group nested in Example1 called SecurityGroup1 the following filter will NOT return any members within SecurityGroup1

(memberOf=cn=Example1,OU=Distribution Groups,OU=Example,DC=example,DC=com)

To find all the relevant members, including the ones in the nested security group, the following filter must be used:

(&(memberOf:1.2.840.113556.1.4.1941:=cn=Example1,OU=Distribution Groups,OU=Example,DC=example,DC=com))